24 April 2006

If you are a parent of a son or daughter at an institution of higher learning, this is a notice that makes you shake your head in disappointment. And if you are Chief Information Security Officer at University of Texas - McCombs you wonder how this could happen again?

Unauthorized Access of Computer Records Discovered at The University of Texas at Austin

AUSTIN, Texas –The University of Texas at Austin officials announced today (April 23) that an unknown person or persons has gained entry to the McCombs School of Business computers and gained unauthorized access to a large number of McCombs’ electronic records.

“It is our highest priority to notify those who may be affected by this security breach,” said university President William Powers Jr. “We have notified the attorney general and his Internet enforcement unit and are doing everything we can to protect those whose information has been accessed unlawfully.”

The security violation was discovered late Friday, April 21, and the university has devoted all available resources to identify the extent and source of the breach. Some of an estimated 197,000 records were accessed.

An investigation has determined that information from the business school’s computer system was obtained as early as April 11, including some Social Security numbers and possibly other biographical data, including those of alumni, faculty, staff and current and prospective students of the business school as well as corporate recruiters.

Even though the transnational nature of data theft is a major financial concern for law enforcement, the banking community and those potential consumers impacted at this university, there are other priorities that may be of greater risk to US financial institutions. Money Laundering and the enforcement of the Bank Secrecy Act (BSA) is a continued United States Treasury priority along with the Office of the Comptroller of Currency (OCC).

An examination of Metrobank by the Office of the Comptroller of the Currency found deficiencies in Metrobank's anti-money laundering program, revealing that Metrobank had failed to implement an adequate system of internal controls to ensure compliance with the Bank Secrecy Act and manage the risks of money laundering involving funds transfers. The examination also revealed that Metrobank had failed to conduct adequate independent testing to allow for the timely identification and correction of Bank Secrecy Act compliance failures. These failures in internal controls and independent testing led, in turn, to failures by Metrobank to identify and report suspicious transactions in a timely manner. The failures of Metrobank to comply with the Bank Secrecy Act and the regulations issued pursuant to that Act weresignificant.

Metrobank and Metro Remittance handle large volumes of funds transfers involving the Philippines and, since September 2003, the People's Republic of China. The volume of funds transfers to the Philippines in 2003 was 162,000 transactions totaling $208 million. Prior to February 11,2005, the Philippines was included in the list of Non-Cooperative Countries or Territories designated by the Financial Action Task Force on Money Laundering.

While this civil penalty will result in a fine of only $150,000., you could predict that the cost will be much higher. A system implemented to assist with due diligence installed in 2003 has not been effective and the use of manual controls is the source of much of the banks failures in a fully compliant Anti-Money Laundering (AML) program. The passage of the USA PATRIOT Act, after the terrorist attacks of September 11, 2001, has placed greater emphasis on AML issues. Increased scrutiny of potential laundering, and stringent requirements placed on institutions to increase their efforts to detect money laundering by terrorist groups, reinforces the importance of the need for certified professionals who protect institutions from potentially devastating laundering crimes.

The lack of oversight by banking institutions or universities comes back to a single aspect of Operational Risk Management. Without a framework for managing risk of all kinds and having an effective system for continuous risk monitoring, you are setting yourself up for a major loss.

No comments:

Post a Comment

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke